A flaw in Microsoft's Internet Explorer which leaves users vulnerable to
hackers has not been fixed despite its discoverer giving the company six
months grace to do so before publishing details

A flaw in Microsoft's Internet Explorer which leaves users vulnerable to hackers has not been fixed, despite its discoverer giving the company six months grace to do so before publishing details.

The flaw "allows remote attackers to execute arbitrary code" on vulnerable, older versions of IE such as 8, says the Zero Day Initiative site, which offers rewards for finding flaws in commercial software. It was originally discovered by Peter Van Eeckhoutte, also known as "corelanc0d3r".

User interaction is required to exploit the hole, in that the victim would have to open a malicious website or file. Although the software has now been replaced, it still accounts for around 20 per cent of internet traffic according to statistics from Net Applications.

The flaw was first disclosed to Microsoft in November last year, and the site usually gives 180 days for a fix to be applied before it is publicly disclosed. By February, Microsoft had confirmed that it had been able to replicate the problem, but had not fixed it.

Zero Day Initiative heard no indication that it would be fixed, so extended the usual secrecy period, informed Microsoft that it was going to go ahead with publication, and eventually released the information late last night.

Microsoft did provide mitigation to the site, claiming that the attack would only work if a user visited a certain site or clicked on a certain link. There would be no way to force a user to do this, it said, and they would have to be convinced or tricked into doing so.